On-Demand Scans for Configuration Audit for SaaS execute periodically to extract configuration information and evaluate it against preconfigured Security Configuration Audit policies. For Microsoft 365, these scans run once every 24 hours.
At this time, you cannot create a new scan or modify the frequency of these scans.
To view On-Demand Scans for Configuration Audit and any possible errors:
- Go to Policy > On-Demand Scan.
- Filter for Scan Type > Configuration Audit.
- Service Name > Microsoft SharePoint.
- To view any errors, click the link under Last Scan Errors.
Microsoft 365 Scan Errors
Microsoft 365 Configuration Audit scans may display errors because some of the policies require permissions (or scopes) that are not available for the Microsoft user. Policies related to Azure Active Directory or Microsoft Intune may fall into this category. If the user doesn’t have permissions, an On-Demand Scan error is shown.
This problem could occur if the required licenses are not present, like if the Microsoft 365 account is not licensed for Microsoft Intune. If the account has the required licenses, to address this problem, disable and enable the SharePoint API again. When the SharePoint API is enabled again, the required scopes are requested from Microsoft 365. This change may take up to an hour.
Another option is to go to the Configuration Audit Policies page and disable the policies associated with Azure AD and Microsoft Intune.